SOC 147 - SSH Scan Activity

investigate suspicious scanning activity

[Alert Details]

Severity: Medium

EventID : 94
Event Time : Jun, 13, 2021, 04:23 PM
Rule : SOC147 - SSH Scan Activity
Source Address : 172.16.20.5
Source Hostname : PentestMachine
File Name : nmap
File Hash : 3361bf0051cc657ba90b46be53fe5b36
File Size : 2.82 MB
Device Action : Allowed

[Analysis]

With the provided alert details, we'll first take a look at the triggering file's hash 3361bf0051cc657ba90b46be53fe5b36 to give us an idea of whether or not it's malicious AND if it is indeed the file it claims to be.

To do so, we'll do some OSINT (Open Source Intelligence) using VirusTotal.

0/63 malicious detections in VirusTotal

(Optional) Run the file hash through Hybrid-Analysis for a secondary check on the file, in case you're not satisfied with VirusTotal's results. It doesn't hurt to get a second resource to verify your findings!

So now we've confirmed that file is indeed Nmap.

Nmap is an open-source network discovery tool that is widely used by security professionals and network administrators to map networks, identify live hosts, and assess the security of computer systems.

Next, we'll take a look at the activities from the host this alert is triggering from: PentestMachine with the IP 172.16.20.5 . We'll navigate to the Endpoint Security tab and search for the machine's name to see what other activities it's performed.

From the Details area, we can open up each link to see if there is anything of interest from the Browser History, Command History, Network Connections, and Process List

Command observed from this host

Hosts that responded to the scan

Other processes on the host

We can see that the command nmap -sV -sP 172.16.20.0/24 ran from this machine which performed a network scan of the specified IP address range, using both version detection and a ping scan to determine if hosts are up or down.

From what we know so far, it seems to be an internal pentesting machine conducting a scan for possible vulnerabilities. What we can also do is check the Mailbox section to see if an internal team member notified the SOC of a planned pentest.

Informational email from Ellie notifiying the SOC of a planned scan.

We can verify that this was a planned scan from Ellie, even giving us the Hostname and IP of the machine she will be conducting a scan from, which coincides with the details in this alert. Now, we can proceed to close out the case and answer the questions in the playbook!

[Alert Results]

False Positive? Yes (+5) Was it malware? We put "no" but apparently it was. (-5) Was it quarantined? No (+5)

[Summary of the Alert]

An alert was received for SSH scanning activity originating from PentestMachine with the IP 172.16.20.5 . Upon investigation of the activities and confirmation from Ellie via email, this was a planned and legitimate use of NMAP. The SOC determined this to be a false positive.

[Overall Thoughts]

This is a common alert I'd come across in the workplace. Part of the investigation is to confirm the activity by contacting the team or user conducting the scan. A basic search for the hash is usually one of the first steps. I often don't analyze the actual file using static and dynamic techniques unless it hash a high malicious disposition and the details in VirusTotal or other public sandboxes don't provide me with enough information. Otherwise, this is one of many ways to approach an alert for this type. Definitely a real-world example. I don't consider Nmap to be malware. The playbook answer could be debated.